Compliance with PCI DSS is crucial for any organization that stores, processes, and/or transmits credit card information. PCI DSS also applies to any service provider that can affect the security of another organization’s cardholder environment (CDE). Maintaining and managing compliance with PCI DSS can require heavy lifting within an organization, but the right partner can help ease the load.
While the number of requirements depends on the payment environment and number of transactions it is important to understand the different levels and how each card brand determines the compliance requirements.
History of the PCI DSS
The PCI-DSS was conceived in 2004 after five of the largest payment card issuers—Visa, MasterCard, American Express, Discover, and JCB formed a consortium called the Payment Card Industry Security Standards Council (PCI SSC) to tackle the ever-growing issue of card fraud. Instead of burdening merchants with five separate security standards, they decided to pool their resources and create a single, comprehensive standard that all five providers would accept.
As the cyber-security landscape has continued to evolve over the years, the PCI-DSS has had to change over time to address new threats and tactics to mitigate fraudsters. Since the initial release of the PCI-DSS 1.0 version in 2004, the standard has undergone several revisions, with the latest version 4.0, released in 2023.
Since the most confusion comes from the 4 levels of merchants, this is the one I’m going to focus on. The number of controls depends on the number of transactions processed by the merchant per year.
PCI DSS Merchant Levels
There are several merchant levels, each with a slightly different list of requirements, and largely determined by the number of transactions processed each year.
Why define separate levels in the first place? The payment card industry (PCI) uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the amount of assessment and security validation that is required for the merchant to pass the PCI DSS assessment.
At a very high level, the PCI DSS merchant levels are as follows:
- Level 1 – Over 6 million transactions annually
- Level 2 – Between 1 and 6 million transactions annually
- Level 3 – Between 20,000 and 1 million transactions annually
- Level 4 – Less than 20,000 transactions annually
While these tiers seem relatively straightforward at first glance, delving deeper, it may be difficult to discern exactly which one your organization falls into because the card issuers each maintain their own table of merchant levels. You’ll find that each one defines their levels a bit differently.
Even though the card issuers define their own levels, it’s important to note that Discover, Visa, and Mastercard all use the same general criteria to define theirs, with a few minor differences. Though JCB and American Express have their own versions, it is generally accepted that if you are a level for one provider, you will be considered the same for all, with a few minute exceptions.
To view each card issuer’s table of merchant levels, use the links below:
Taking a closer look, the merchant levels are as follows:
Level 1
- Criteria:
- Merchants processing more than 6 million Visa, MasterCard, or Discover transactions annually via any channel.
- Merchants processing more than 2.5 million American Express transactions annually.
- Merchants processing more than 1 million JCB transactions annually.
- Merchants that have suffered a data breach or cyberattack that resulted in cardholder data being compromised.
- Merchants that have been identified by another card issuer as Level 1
- Merchants that the card brands determine should meet the Level 1 merchant requirements to minimize risk to the system.
- Validation Requirements:
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), or Internal Auditor if signed by an officer of the company. The Internal Auditor must be a PCI-certified Internal Security Assessor (ISA).
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form
Level 2
- Criteria:
- Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel
- Merchants processing between 50,000 to 2.5 million American Express transactions annually
- Merchants processing less than 1 million JCB transactions annually
- Validation Requirements:
- Annual Self-Assessment Questionnaire (SAQ) completed by an Internal Auditor if signed by an officer of the company or Qualified Security Assessor (QSA). The Internal Auditor must be a PCI-certified Internal Security Assessor (ISA).
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form
Level 3
- Criteria:
- Merchants processing between 20,000 and 1 million Visa transactions annually
- Merchants process 20,000 Mastercard transactions annually, but less than or equal to 1 million total Mastercard transactions annually
- Merchants that process 20,000 to 1 million Discover card-not-present-only transactions annually
- Less than 50,000 American Express transactions
- Validation Requirements:
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form
Level 4
- Criteria:
- Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions annually
- All other merchants processing up to 1 million Visa or Mastercard transactions annually
- Validation Requirements:
- These largely depend on the requirements of the merchant’s acquiring bank
- Typically include an SAQ and Quarterly External Scan by ASV
Level 3 and Level 4 merchants may alternatively, at their own discretion, engage a PCI SSC-approved QSA for an onsite assessment instead of performing a self-assessment.
Visa updated their validation measurements as of January 31, 2017, for small merchants, the full document can be found here. But here are the sections I want to point out. All Level 4 merchants must use only Payment Card Industry (PCI) certified Qualified Integrator and Re-seller (QIR) professional for point-of-sale (POS) application and terminal instantiation and integration. Effective January 31st, 2017, acquirers must ensure Level 4 merchants annually validate PCI DSS compliance or participate in the Technology Innovation Program (TIP). Participation in TIP allows qualifying merchants to discontinue the annual PCI-DSS validation assessment.
Note: Single-use terminals without Internet connectivity (dial-up terminals) are considered low-risk and may be excluded from these requirements.
One other thing to note here is if you have been breached you will automatically be classified as a Level 1 merchant for PCI compliance purposes, regardless of transaction volume. Conducting a full ROC, even for a small organization, will likely be extremely daunting and expensive. So, there is an added incentive for you level 2 through 4 merchants to make sure that they truly are PCI compliant.
Fines and Consequences
- Monthly Penalties:
Non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the Credit Card Companies (Visa, MasterCard, Discover, AMEX). Penalties depend on the volume of clients and transactions; these volumes can help to determine what level of PCI-DSS compliance a company should be on.
- Data Breaches:
PCI DSS Compliance does not prevent data breaches; companies that meet PCI DSS requirements can suffer attacks and data loss. If a company is compliant and suffers a data breach, it can still be responsible for paying penalties. However, the card brands may significantly lower or eliminate fines if the company in question has taken all the necessary steps to be PCI DSS compliant.
- The average cost of a breach is $150 per record, according to the Ponemon Institute’s 2019 “Cost of a Data Breach” report;
- Costs of card replacement or issuing, between $3 to $10 per card;
- Increased rates charged by banks and/or processors
- Termination of Merchant Relationship with the credit card brands;
- Lawsuit by the clients whose information has been breached;
- Security costs related to mandatory credit monitoring for customers whose data was compromised, identity theft repair, etc;
- Costs of the forensic investigation to determine the causes of the data breach.
- Legal Action:
Lawsuits against your company can be a common outcome. In 2007, TJX Companies (best known as the holder of Marshalls and T.J. Maxx) had to pay $40.9 million for a data breach that put an estimated 100 million bank cards at risk. In 2014, 1.1 million clients of Neiman Marcus were affected by another data breach.
- Damaged Reputation:
Putting clients’ bank card information at risk can result in irreversible damage to a company’s reputation; this is in addition to any of the elevated costs that would be incurred by the organization. Once your security has been endangered, it will be very difficult for your clients to start trusting you again.
- Revenue Loss:
In addition to the loss of brand reputation, a merchant can expect their revenue to drop drastically due to the loss of clients followed by a security breach. In 2013, a large retail merchant was sentenced to $18.4 million for a data breach that affected more than 41 million customers. This led the merchant to a $ 440 million loss of revenue in the first quarter following the breach.
As a qualified security assessor company (QSAC), AccessIT not only conducts the official onsite PCI assessment to validate compliance, but we also work with our clients to develop long-term compliance strategies and streamline ongoing compliance maintenance. As an extension of your team, we go beyond compliance to help align security requirements, technology investments, and business goals to cost-effectively mitigate risk and improve business performance.
- Our bench of dedicated PCI consultants averages 20 years of experience and has addressed risks and compliance requirements across the globe.
- AccessIT brings hands-on experience to diverse client environments including healthcare, retail, banking, and manufacturing. Our certified QSAs deliver high-quality PCI assessments and meet strict deadlines.
- PCI regulations and requirements are constantly shifting, and we continue to adjust our proven methodologies to meet changing regulations. Formed from deep industry experience, AccessIT evaluates PCI risks, identifies gaps, recommends a course of action, and can provide your organization with ongoing guidance.
- AccessIT offers CISO-level consultants, who can help our clients untangle competing and conflicting requirements from numerous regulations and place our clients on a solid footing.
- Our QSAs take the time to understand your environment and business needs to make sure you are truly meeting the PCI DSS standards, we are not trying to check a box.
By: Chad Barr – Director of Governance, Risk & Compliance – CISSP | CCSP | CISA | CDPSE | QSA